CVE-2014-2741 - OpenCVE

nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

AV:N/AC:L/Au:N/C:N/I:N/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Igniterealtime	Openfire

Configuration 1 [-]

cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://community.igniterealtime.org/thread/52317
http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396fe946766bbd3758af77
http://openwall.com/lists/oss-security/2014/04/07/7
http://openwall.com/lists/oss-security/2014/04/09/1
http://www.kb.cert.org/vuls/id/495476
http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/

History

No history.

MITRE

Status: PUBLISHED

Assigner: debian

Published: 2014-04-11T01:00:00

Updated: 2024-08-06T10:21:36.080Z

Reserved: 2014-04-08T00:00:00

Link: CVE-2014-2741

Vulnrichment

No data.

NVD

Status : Modified

Published: 2014-04-11T01:55:05.473

Modified: 2014-05-05T05:34:23.020

Link: CVE-2014-2741

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-04-04T00:00:00", "descriptions": [{"lang": "en", "value": "nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an \"xmppbomb\" attack."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-04-24T04:57:00", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"}, {"name": "VU#495476", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/495476"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396fe946766bbd3758af77"}, {"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2014/04/09/1"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://community.igniterealtime.org/thread/52317"}, {"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2014/04/07/7"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "ID": "CVE-2014-2741", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an \"xmppbomb\" attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/", "refsource": "MISC", "url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"}, {"name": "VU#495476", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/495476"}, {"name": "http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396fe946766bbd3758af77", "refsource": "CONFIRM", "url": "http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396fe946766bbd3758af77"}, {"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2014/04/09/1"}, {"name": "http://community.igniterealtime.org/thread/52317", "refsource": "CONFIRM", "url": "http://community.igniterealtime.org/thread/52317"}, {"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2014/04/07/7"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:21:36.080Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"}, {"name": "VU#495476", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/495476"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396fe946766bbd3758af77"}, {"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2014/04/09/1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://community.igniterealtime.org/thread/52317"}, {"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2014/04/07/7"}]}]}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2014-2741", "datePublished": "2014-04-11T01:00:00", "dateReserved": "2014-04-08T00:00:00", "dateUpdated": "2024-08-06T10:21:36.080Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*", "matchCriteriaId": "28930E5F-0943-436F-9593-9CFA781370A9", "versionEndIncluding": "3.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an \"xmppbomb\" attack."}, {"lang": "es", "value": "El archivo nio/XMLLightweightParser.java en Ignite Realtime Openfire anterior a versi\u00f3n 3.9.2, no restringe apropiadamente el procesamiento de elementos XML comprimidos, lo que permite a los atacantes remotos causar una denegaci\u00f3n de servicio (consumo de recursos) por medio de una secuencia XMPP dise\u00f1ada, tambi\u00e9n conocido como ataque \"xmppbomb\" ."}], "id": "CVE-2014-2741", "lastModified": "2014-05-05T05:34:23.020", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-04-11T01:55:05.473", "references": [{"source": "security@debian.org", "url": "http://community.igniterealtime.org/thread/52317"}, {"source": "security@debian.org", "url": "http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396fe946766bbd3758af77"}, {"source": "security@debian.org", "url": "http://openwall.com/lists/oss-security/2014/04/07/7"}, {"source": "security@debian.org", "url": "http://openwall.com/lists/oss-security/2014/04/09/1"}, {"source": "security@debian.org", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/495476"}, {"source": "security@debian.org", "url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}